xfs: growfs overruns AGFL buffer on V4 filesystems

This loop in xfs_growfs_data_private() is incorrect for V4
superblocks filesystems:

		for (bucket = 0; bucket < XFS_AGFL_SIZE(mp); bucket++)
			agfl->agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);

For V4 filesystems, we don't have a agfl header structure, and so
XFS_AGFL_SIZE() returns an entire sector's worth of entries, which
we then index from an offset into the sector. Hence: buffer overrun.

This problem was introduced in 3.10 by commit 77c95bba ("xfs: add
CRC checks to the AGFL") which changed the AGFL structure but failed
to update the growfs code to handle the different structures.

Fix it by using the correct offset into the buffer for both V4 and
V5 filesystems.

Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Jie Liu <jeff.liu@oracle.com>
Signed-off-by: Ben Myers <bpm@sgi.com>

(cherry picked from commit b7d961b35b3ab69609aeea93f870269cb6e7ba4d)

1 files changed, 5 insertions, 1 deletions

diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
index a6e54b3319bd..02fb943cbf22 100644
--- a/fs/xfs/xfs_fsops.c
+++ b/fs/xfs/xfs_fsops.c
@@ -220,6 +220,8 @@ xfs_growfs_data_private(
          */
         nfree = 0;
         for (agno = nagcount - 1; agno >= oagcount; agno--, new -= agsize) {
+                __be32  *agfl_bno;
+
                 /*
                  * AG freespace header block
                  */
@@ -279,8 +281,10 @@ xfs_growfs_data_private(
                         agfl->agfl_seqno = cpu_to_be32(agno);
                         uuid_copy(&agfl->agfl_uuid, &mp->m_sb.sb_uuid);
                 }
+
+                agfl_bno = XFS_BUF_TO_AGFL_BNO(mp, bp);
                 for (bucket = 0; bucket < XFS_AGFL_SIZE(mp); bucket++)
-                        agfl->agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);
+                        agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);
 
                 error = xfs_bwrite(bp);
                 xfs_buf_relse(bp);